When a user logs out or reset his password, the current session should be invalidated.
Therefore, grab the cookies while the user is logged in, log out, and check if the cookies are still valid.
Repeat the process changing the password instead of logging out.